add timestamps to management requests

This commit is contained in:
Akbar Rahman 2024-04-11 19:06:53 +01:00
parent 11ecfe7cb0
commit 53af0e1087
Signed by: alvierahman90
GPG Key ID: 6217899F07CA2BDF
4 changed files with 59 additions and 18 deletions

View File

@ -6,6 +6,7 @@ services:
ports: [ "8430:80" ] ports: [ "8430:80" ]
environment: environment:
- SECRET=${SECRET} - SECRET=${SECRET}
- MAX_AGE_MS=${MAX_AGE_MS}
restart: unless-stopped restart: unless-stopped
redis: redis:
hostname: sus-redis hostname: sus-redis

32
main.go
View File

@ -24,6 +24,8 @@ import (
"log" "log"
"net/http" "net/http"
"os" "os"
"strconv"
"time"
"github.com/go-redis/redis/v8" "github.com/go-redis/redis/v8"
"github.com/gorilla/mux" "github.com/gorilla/mux"
@ -38,6 +40,7 @@ var client = redis.NewClient(&redis.Options{
var SECRET string var SECRET string
var INDEX_GET_REDIRECT = "http://alv.cx" var INDEX_GET_REDIRECT = "http://alv.cx"
var MAX_AGE_MS int64 = 500
func main() { func main() {
r := mux.NewRouter() r := mux.NewRouter()
@ -59,6 +62,14 @@ func main() {
INDEX_GET_REDIRECT = p INDEX_GET_REDIRECT = p
} }
if p, ok := os.LookupEnv("MAX_AGE_MS"); ok {
if v, err := strconv.ParseInt(p, 10, 64); err != nil {
fmt.Printf("Unable to parse environment variable MAX_AGE_MS: %v\n", p)
} else {
MAX_AGE_MS = v
}
}
log.Fatal(http.ListenAndServe(listenAddress, r)) log.Fatal(http.ListenAndServe(listenAddress, r))
} }
@ -74,16 +85,29 @@ func indexHandler(w http.ResponseWriter, r *http.Request) {
command := r.PostForm.Get("Command") command := r.PostForm.Get("Command")
shortlink := r.PostForm.Get("Shortlink") shortlink := r.PostForm.Get("Shortlink")
value := r.PostForm.Get("Value") value := r.PostForm.Get("Value")
fmt.Printf("command: %v, shortlink: %v, value: %v\n", command, shortlink, value) req_timestamp := r.PostForm.Get("Timestamp")
fmt.Println(shortlink) req_timestamp_int, err := strconv.ParseInt(req_timestamp, 10, 64)
fmt.Println(value) if err != nil {
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Bad request"))
return
}
cur_timestamp := time.Now().UnixNano()
if req_timestamp_int+MAX_AGE_MS*1000*1000 < cur_timestamp {
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Bad request"))
return
}
fmt.Printf("req_timestamp: %v, command: %v, shortlink: %v, value: %v\n", req_timestamp, command, shortlink, value)
signature := r.Header.Get("Signature") signature := r.Header.Get("Signature")
calculatedSignature := fmt.Sprintf( calculatedSignature := fmt.Sprintf(
"SUS-SIGNATURE-%v", "SUS-SIGNATURE-%v",
getSha256HMACSignature( getSha256HMACSignature(
[]byte(SECRET), []byte(SECRET),
command+":"+shortlink+":"+value, req_timestamp+":"+command+":"+shortlink+":"+value,
), ),
) )

View File

@ -39,6 +39,7 @@ flag is not provided.
- `LISTEN_ADDRESS`---the address the server is listening on (default is `0.0.0.0:80`) - `LISTEN_ADDRESS`---the address the server is listening on (default is `0.0.0.0:80`)
- `INDEX_GET_REDIRECT`---the URL the user should be redirected to if they try to access `/` on the - `INDEX_GET_REDIRECT`---the URL the user should be redirected to if they try to access `/` on the
server (default is `http://alv.cx`) server (default is `http://alv.cx`)
- `MAX_AGE_MS`---how old a request can be (in milliseconds) before the server will refuse to process it. (default is 500 milliseconds)
### setting up susmng ### setting up susmng

View File

@ -8,6 +8,7 @@ import pathlib
import os import os
import json import json
import sys import sys
import time
def get_args(): def get_args():
@ -51,20 +52,34 @@ def main(args):
if args.command == "delete" and args.value != "confirm": if args.command == "delete" and args.value != "confirm":
print("--value not set to 'confirm'... delete operation may fail") print("--value not set to 'confirm'... delete operation may fail")
r = requests.post(f"{'http' if args.http else 'https'}://{server}", # accoring to python documentation (https://docs.python.org/3/library/time.html#time.time)
# this function does not explicitly have to use unix time, and implementation is dependent
# platform.
# most platforms (windows, unix) will probably give unix time though.
#
# the server side (main.go file) does explicitly use unix time (time.Now().UnixNano()) to get
# this number, but hopefully there should be no issues on most platforms.
timestamp = str(time.time_ns())
data = { data = {
'Command': args.command, 'Command': args.command,
'Shortlink': args.shortlink, 'Shortlink': args.shortlink,
'Value': args.value, 'Value': args.value,
}, 'Timestamp': timestamp,
}
headers = { headers = {
'Signature': 'SUS-SIGNATURE-' + hmac.new( 'Signature': 'SUS-SIGNATURE-' + hmac.new(
secret.encode("UTF-8"), secret.encode("UTF-8"),
(args.command+":"+args.shortlink+":"+args.value).encode("UTF-8"), (timestamp + ":" + args.command + ":" + args.shortlink + ":" + args.value).encode("UTF-8"),
hashlib.sha256 hashlib.sha256
).hexdigest() ).hexdigest()
} }
)
print(f"{data=}")
print(f"{headers=}")
r = requests.post(f"{'http' if args.http else 'https'}://{server}", data=data, headers=headers)
print(r, file=sys.stderr) print(r, file=sys.stderr)
print(r.content.decode().strip()) print(r.content.decode().strip())
return 0 return 0